Halamka Knows Perils And Promise Of Healthcare BYOD

One of the nation's top healthcare CIOs discusses Beth Israel Deaconess Medical Center's $200K project to secure personal devices used for work.

9 Mobile EHRs Compete For Doctors'
Attention

(click image for larger view and for slideshow)

"BYOD is an unstoppable force." That's the unequivocal view of Dr. John Halamka, CIO of Beth Israel Deaconess Medical Center. Halamka, speaking on Tuesday's InformationWeek Healthcare Virtual Event, discussed the opportunities the bring-your-own-device movement affords IT managers and clinicians alike, as well as the risks and responsibilities now placed on CIOs' shoulders.

"Although CIOs would much rather focus on the cool apps of the future or that 3D holographic iPad, compliance and regulatory imperatives are a must do," Halamka said. Much of his presentation dealt with those imperatives and the accountability associated with them.

His take-home message on how to keep patient data safe was straightforward: "Policy is no longer enough."

Until recently, BIDMC clinicians had to follow a detailed policy that outlined procedures for password protection, encryption, device firewalls, time out periods, automatic wipes and the like if they were going to use their personal mobile device to access patient data.

Unfortunately, about a year ago an unsecured personal laptop containing sensitive data was stolen from one of BIDMC's doctors, costing the medical center hundreds of thousands of dollars in legal fees and forensic analysis. At that point, the institution decided that it had to go beyond policy and put specific technologies in place to secure all devices, Halamka said.

BIDMC's IT department initially shut down all smartphone email protocols, with the exception of Exchange Activesync, which lets IT managers enforce certain settings on a mobile device.
Then, the team audited all BIDMC-purchased devices, tagging each of them and ensuring that their data was properly encrypted. Next, they turned to the personally owned devices being used to access the BIDMC network and encrypted the data on those devices, scanned for malware, and installed antivirus updates and patches as needed. Equally important, they required employees to attest to all the devices they use in the workplace, and to the fact that the sensitive data on them had been encrypted.

It was a big project given the age of some of the hardware and software. In addition to using Bitlocker and FileVault2, the BIDMC IT department had to install self-encrypting drives to secure some devices.

In total. BIMDC spent about $200,000 on the project, but as Halamka pointed out, it can cost an institution that much if it loses a single unsecured laptop.

Again, the lesson is clear: Don't wait until federal regulators come knocking at your door asking why you didn't secure a stolen iPad that contained HIPAA-related patient data. They don't want to hear that you had a policy in place and that you warned the doc to encrypt the device. Like it or not, accountability rests on your shoulders.

Join two prominent IBM healthcare executives, along with Dr. Carolyn McGregor, associate professor at the University of Ontario Institute of Technology, and Annamarie Saarinen, founder of the Newborn Foundation, to discuss how big data analytics is helping to improve outcomes and reduce morbidity and mortality among critically ill infants and ICU patients. This IBM-sponsored Webcast will take place on Dec. 17 at 1:00 p.m. EST. Register here.

I hate to say it but even though BIMDC has done a lot of work... they will never be secure if they continue to have an open BYOD policy.

Specific devices come and go on a daily basis. And new device types pop up all the time. There is no way for them to absolutely guarantee that all devices connecting to their network are secure.

BYOD may be unstoppable in general, but it can be regulated and controlled to the extent that is required to ensure data security. It just takes will power to say NO to certain devices, software, and - most importantly - employee attitudes about their "right" of use and access.

Even with the precautions taken by encrypting drives and enabling remote wipes, BYOD is still very risky for organizations, mostly because of the variety of applications and OSs that must be supported. A vulnerability in a mobile OS (such as the known vulns for Android and iOS) or client-side application (such as the recent Java update) can give access to patient records w/o the need to steal the device. I feel as if BYOD is just an added risk that isn't necessary, regardless of how much pressure physicians put on management. The bottom line is that healthcare organizations need to do what they can to secure patient data, and any BYOD opens up too many possibilities.

I agree (I think). It's not clear to me that BYOD is less secure than corporately issued mobile devices. At the end of the day, both are as secure as the enterprise decides to make them. It doesn't have to be Bring "Any" Device. For example, the majority of Samsung's Smartphones (eg: the S3) have some enterprise security firmware in them called SAFE. According to Samsung, not all EMM solutions (see Larry's reply) are created equal. Some EMM solutions like Mobile Iron, SOTI, Airwatch, SAP Afaria, and Zenprise do a better job of supporting SAFE than others. If an enterprise decides on Mobile Iron for it's EMM standard, then it could look to see what smartphones it ties into better than others and (1) limit the BYOD whitelist to those devices, and (2) require full compliance or the device is denied access. This isn't remarkably different from the way corporately issued devices have worked in the past and some EMM solutions go way beyond what came out of the box from Microsoft and RIM in years gone by. The enterprise just has to stick to its guns.

I think you and Larry have touched upon my main point. That being, that a company can have a BYOD policy but they had better control it tightly or else they will some day pay a price.

In the end, the only difference between BYOD and company provided devices will be that the end user pays for the device. The company pays for everything else. And, I think that can be a very open ended spigot of ongoing expenses.

I would actually like to see someone do a decent study on what the cost differences are between those two scenarios. It seems to me that a company would be better off providing a choice in phones, tablets, etc. from the popular list and then only allowing those devices. Devices that the company has a hedge on protecting because they are a known quantity.

HealthcareGÇÖs poor cybersecurity track record is really troubling. Medical records are master keys into a patientGÇÖs life; they contain all of the critical data that would enable thieves to clear nearly any security hurdle in assuming an identity for monetary gain or to perpetrate medical fraud. Clearly, addressing BYOD is a huge part of the security equation. ItGÇÖs great that BIDMC is giving this issue the attention it deserves. If your organization hasn't created a clear BYOD policy yet, I suggest taking a look at our list of BYOD traps to avoid: http://blog.perimeterusa.com/2...

Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.

Worries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?